Bitcoin mining malware hits new highs

In the last 6 months we have seen a trend of malware authors and malicious web developers gearing up their mining operations. This type of cryptocurrency mining malware can either be built into a webpage stealing CPU cycles in the background, or, Trojan’s designed to drop a mining payload generating money for the attacker while slowing down your workstations.

This could be due to the boom in bitcoin and other cryptocurrency’s over the last few months with Bitcoin reaching a record high of 1btc = $19,783.21 at the end of last year. [1] This goes to prove that mining malware has a lot of potential to be very lucrative for malicious actors.

Although these miners can just seem like a nuisance they can cause issues to businesses, from causing a slow down across the network leading to frustration from staff and reduced productivity. But also, each stolen CPU cycle can be reducing the lifespan of critical equipment in the long term.

ProofPoint have pointed to the NSA’s EternalBlue exploit kits being used in some malware miners, these are reported to have generated over $2.8m which could be an indication to the money being made by the attackers as well as the rise of the Monero miner. [2]

Although this may sound like bad news there is a silver lining, due to the profits being gained in cryptocurrency mining malware authors are moving away from ransomware attacks to this more lucrative market. [3] This could mean less damaging and disruptive attacks are on the horizon.

There are however a few basic steps that can ensure you are protected from these kinds of attack. Firstly, good standard practice is to block IRC communication from your network unless absolutely necessary. This can combat malware being able to call home in most cases. Also, implementing or ensuring you are using an IPS with an up to date ruleset enabled, this will block all known threats and bad locations. Another step is monitoring CPU usage on servers and workstations, good RMM products can easily monitor CPU activity and inform appropriate admins of this behaviour, these can be a key indicator of this type of infection.

Finally, using an email gateway to disarm any active content which may contain mining malware.

Ant Robinson – Senior Cybersecurity Specialist

Unsure about your security posture? Talk to us today and see what services we could offer your business to keep you secure.